Email has one of the most mature security stacks in tech: SPF, DKIM, DMARC, BIMI, advanced spam filtering, and decades of infrastructure. Yet when you ask a simple question of each layer — who is this actually protecting? — a clear pattern emerges.
Authentication Protects Brands, Not Recipients
SPF verifies authorized sending servers.
DKIM cryptographically signs the message.
DMARC ties it all to the visible From: address and lets domain owners set policies.
These are excellent anti-spoofing and anti-counterfeiting tools. They protect the sender’s identity and brand reputation.
What they don’t do is ask: What is this authenticated message doing to the person receiving it?
A perfectly authenticated email (all green checks) can still contain:
- Tracking pixels
- Per-recipient rewritten links
- Hidden identifiers
- Fingerprinting techniques
The stack happily vouches for the authenticity of the surveillance.
DMARC’s Enforcement Bar Was Set Low on Purpose
When major providers finally pushed DMARC requirements in 2024, they mostly required the weakest mode: p=none (monitor only).
Meanwhile, the most common real-world spoofing attack — forging the display name while hiding the actual address — remains largely unaddressed. And the newest addition, BIMI, is essentially a paid brand-marketing feature that shows logos in inboxes.
The One Layer That Protects Recipients Is a Black Box
Spam filtering is the clear exception — it genuinely tries to protect recipients. But it’s also the only major layer that is proprietary, opaque, and controlled by the same gatekeepers who run the dominant email services.
This creates an interesting dynamic: open standards protect senders; recipient protection is a competitive moat.
The Envelope Is the Real Product
Below all the content-level protections lies the metadata — who emailed whom, when, how often, reply chains, message identifiers — which remains completely exposed. Even end-to-end encrypted email doesn’t protect the envelope.
This metadata has become extremely valuable in today’s data economy.
What Real Recipient-Side Email Security Would Look Like
If we designed email security for the person opening the message, it would be radically different:
- Strip tracking pixels and rewrite links at the relay layer (before delivery)
- Anonymize or replace per-recipient identifiers
- Protect the recipient’s address as the core asset
- Prevent reply-chain mapping across groups
This is exactly the direction we’re building at EMail Parrot — privacy-first group email that puts the recipient first.
Read the full article here:
Who Is Email Security For?
What do you think? Has the email security stack quietly evolved into a sophisticated brand protection + marketing infrastructure while leaving recipients exposed?
I’d love to hear perspectives from email deliverability engineers, privacy advocates, and security professionals.
Top comments (0)